Flaw in CrushFTP file transfer program being exploited by hackers
In the realm of cybersecurity, a critical zero-day vulnerability has been discovered and reported in the CrushFTP file transfer server software. The vulnerability, officially assigned as CVE-2025-54309, has been actively exploited since mid-July 2025, posing a significant threat to organizations worldwide.
The vulnerability, which carries a high severity with a CVSS score of 9.0, is due to an improper handling of AS2 protocol validation over HTTP(S) [1][3][5]. This issue affects CrushFTP versions 10 prior to 10.8.5 and 11 prior to 11.3.4_23, provided that the DMZ proxy feature is not used [1][3].
The flaw allows remote attackers to bypass authentication and gain administrative access to the server, potentially leading to full system compromise, data exfiltration, backdoor injection, and lateral movement within affected enterprises [1][3]. Given that CrushFTP is widely used in sensitive government, healthcare, and enterprise environments, the impact could be severe [1][3].
The attack vector is via HTTP(S) without DMZ isolation, making exposed instances a single point of failure [1]. The vulnerability came to light due to a previous fix for an AS2-related issue that overlooked a prior bug, which hackers exploited once the code was changed and publicly available for review [1].
CrushFTP has released patches to fix this vulnerability in versions 10.8.5 and later for the 10.x line, and 11.3.4_23 and later for the 11.x line [3][5]. Users are strongly urged to update immediately due to active exploitation [1][3]. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognised CVE-2025-54309 as a Known Exploited Vulnerability, mandating remediation for federal agencies by August 12, 2025 [1].
However, there appears to have been some initial confusion regarding the CVE assignment. While the more prominently reported CVE for CrushFTP's critical flaw is CVE-2025-54309, some sources mistakenly refer to CVE-2025-31161 [1][3]. None of the current authoritative and recent sources identify CVE-2025-31161 as associated with CrushFTP; all reports and official databases point to CVE-2025-54309 for this critical zero-day in July 2025 [1][3].
As of March 30, Shadowserver Foundation observed 1,512 unpatched CrushFTP instances vulnerable to CVE-2025-2825, down from approximately 1,800 on March 28 [2]. The exploitation attempts originate primarily from IP addresses in Asia, with a smaller number from Europe and North America [4].
In a statement, Ben Spink, CEO of CrushFTP, confirmed receiving reports of customer compromises via the authentication bypass flaw [6]. Spink also asserted that the real CVE for the authentication bypass flaw is CVE-2025-31161, which currently does not have an entry in either NIST's National Vulnerability Database or Mitre's CVE.org [7].
According to Spink, another cybersecurity company created confusion by "taking credit for something they didn't discover" and assigning a different CVE to the same vulnerability before CrushFTP was able to fully disclose it publicly [7]. Spink wrote that they realised shortly after the initial email that some v10 versions were also affected and updated the page to indicate this [8].
CrushFTP first informed customers of the vulnerability privately via email on March 21, urging them to upgrade to v11.3.1 immediately [8]. File transfer products and services have been heavily targeted in recent years by a variety of threat actors, including ransomware gangs.
| Attribute | Details | |-------------------------|-------------------------------------------| | Affected Software | CrushFTP 10.x < 10.8.5, 11.x < 11.3.4_23 | | Vulnerability | AS2 HTTP(S) validation mishandling | | Impact | Remote admin access, full system compromise| | CVE ID | CVE-2025-54309 | | CVSS Score | 9.0 (Critical) | | Exploitation Status | Active in the wild (zero-day) | | Patch | Update to 10.8.5 / 11.3.4_23 or later | | CISA KEV Catalog Status | Listed, mandatory remediation by 2025-08-12 |
In conclusion, CVE-2025-54309 is the confirmed, actively exploited vulnerability in CrushFTP, and the confusion around CVE-2025-31161 is likely due to mistaken references or misinformation. Users should refer to CVE-2025-54309 for trusted updates and mitigation.
- The recently discovered critical zero-day vulnerability in CrushFTP, CVE-2025-54309, is actively exploited by hackers, posing a serious threat to privacy and cybersecurity, especially in sensitive government, healthcare, and enterprise environments.
- The vulnerability, with a high severity score of 9.0, is due to an improper handling of AS2 protocol validation over HTTP(S) and allows remote attackers to bypass authentication, gain administrative access, and potentially lead to full system compromise.
- In an attempt to clarify the confusion, it is essential to note that CVE-2025-31161 is not associated with the critical zero-day vulnerability in CrushFTP; all reports and official databases point to CVE-2025-54309 for this issue. Users are advised to refer to CVE-2025-54309 for trusted updates and mitigation strategies.
